 Hey, welcome back everybody. Jeff Frick here with theCUBE. We're at Node Summit 2017 in downtown San Francisco, Mission Bay. Conference center about 800 people talking about Node, Node.js, the crazy growth in this application development platform and we're excited to have our next guest to talk about security, which I don't think we've talked about yet. So this guy, Pojarni, I'm sorry, Pojarni. Welcome, he's the CEO of Sneak. Not spelled like Sneak, you'll see it on the lower third. It's amazing how often we get that question. How do you pronounce Sneak? Obviously people that have never had to start up and try to go through a URL search just don't know what it's all about. Indeed, and you're sort of Google dominance. It's short for so now you know, so now you know. Oh, so now you know, okay, perfect. Super, so first off, welcome. Great to you. Thank you, thanks for having me. So you said it's your second year at the conference. One of you can just kind of share your general impressions of what's going on here. Sure, well I think Node Summit is an awesome conference and I think this year's event is bigger, better organized, I don't know if it's bigger people-wise, but definitely feels that way, sort of feels more structured. It's nice to see in the audience as well, just an increased amount of larger organizations that are around and talking about their challenges. And a little bit, although we're sort of earlier in the conference, but a little bit of more experienced conversations. So conversations about, hey, we've used Node and we've encountered these issues versus you know, we're about to use it, we're thinking of using it. So definitely can see the enterprise adoption kind of growing up. That's my primary kind of impression so far. Yeah, it's interesting because you're a startup, but you know, Microsoft is here, Google's here, Intel is here, IBM is here. So a lot of the big players who've demonstrated in other open source communities that they have completely embraced open source as a method and a way to get closer, actually more than the software is getting close to the development community. Yeah, I agree and I think another adjacent trend that's happening is serverless. And serverless has grown ridiculously like by massive amounts in this last while. And Node.js is sort of the de facto default language for serverless, Lambda started with it in AWS and many of the other platforms only support it. So I think that contribution also brings the giants a little bit more in here, the cloud giants. But also I think again, just sort of boosts the Node.js as though the Node.js ecosystem needed a boost. You know, they get yet another amplifier to sort of raise enterprise awareness and general usage. Okay, so what's Sneak all about? Give us the, people aren't familiar with the company. Well, Sneak deals with open source security and specifically in Node.js, the world of NPM. So NPM is amazing and it allows us to build on the shoulders of giants and all the others in the community. But there are some inherent security risks with just pulling code off the internet and running it in your application. And what we do at Sneak is we help you find known security flaws, known vulnerabilities in NPM packages and do that in a natural fashion as part of your continuous development process and then fix those efficiently and monitor for them over time. Yeah, so that's basically what we do. So that's your focus is really keeping track of all these other packages that people are using for their development. Yeah, precisely, and we're sort of helping you just use open source code and stay secure. And Node is kind of our flagship and is where we started and built and now we're sort of supporting a bunch of other ecosystems as well. It's interesting, Monica from Intel said that in some of their work, they found that on some of these applications the actual developers only contributing like 2% of the code because they're pulling in all this other stuff. Yeah, precisely, I have this example that I use in a bunch of my talks that shows a serverless example that has 19 lines of code, copies some file from a URL and puts it on S3. It has 19 lines of code, which is awesome. It uses two packages, which in turn use 19 packages, which bring in 190,000 lines of code. So, you know, that's a massive that's 19 to 190,000. So it starts with two? 19 lines of code, two NPM packages. They use 19 packages because every package uses other packages as well. And combined, those 19 packages bring in 190,000 lines of code. Wow, that is amazing. That's an extreme example, but you see this pattern. You see this again and again, that the majority of your code in your applications, especially node, is not first party, it's third party code. Right. And that means most of you are security risk, most of your vulnerabilities, they come from there. So there's a lot of challenges around managing dependencies. You know, it's called dependency hell for a reason. But specifically, security is still not sufficiently taken care of, it's still overlooked. And we need to make sure that it's not just addressed by security people, but it's addressed a part of the development process by developers. So how do you keep up, both with the number as the proliferation grows, as well as the revisions and versions inside of any particular package, right? You're kind of chasing a multi-headed beast there. So it's definitely tough. So, first of all, the short answer is automation. I mean, any scale solution has to start with automation. I've got a security research team in Israel that has a vulnerability pipeline that feeds in from activity in the open source world. You know, some developer opens an issue in GitHub that says SQL injection in some package and that disappears into the ether. So we try to surface those, get it to our security analysts, determine if it's a real vulnerability, curate it in our database, and then, you know, just sort of build that database with your own research, but, you know, a lot of it is around tapping into community. And then subsequently, when you consume this, if you want to be able to apply security correctly as you develop your applications, Node.js or otherwise, it has to come to you. It has, the security tool has to be a seamless integration with how you currently work. If you impose another step, another two steps, another three steps on our developers, they're just not going to use it. So that's a lot of our emphasis is scale on the consumption and the tracking of the database and simplicity and ease of use on the developer and the user side. And then do you help with just like flagging, you know, flagging, it's a problem? Is there an alternative? I mean, I would imagine with these, all these interdependencies, you find one, you know, Rotten Apple kind of have a huge impact. You know, it's a huge scale of impact, right? Absolutely, so we do, you know, really, you know, what our moniker is that we don't find vulnerabilities, we fix them, and our goal is to fix vulnerabilities. So we actually, first of all, in the flow, we have single click, open a fixed PR, we figure out what changes you need to do, what upgrades you need to make to make the vulnerability go away. Literally, click a button to fix it, you know, we don't want that for everything. Right, right, right. And then what we also do is we build patches, sort of a little known fact is in the world of operating system, Red Hat and Canonical, they build a lot of fixes or they back port a lot of open source fixes and they put them into their repository so you can just say yum updates or get upgrade and just get those fixes. You don't even know which vulnerabilities you're fixing, you're just getting the fixes. So we build patches for NPN packages as well to allow you to patch vulnerabilities you cannot upgrade away. A lot of it is around fix, make fix easy. Right, and then the other part, as you said, is baking security and the development all the way through, which we hear over and over and over, right? The castle and the node. Yeah, build it in, don't bolt it in. Bolt it in. The method doesn't work anymore, you've got to have it throughout the application. So you said you're speaking on a panel tomorrow and I wonder if you can just highlight some of the topics for tomorrow for the folks that aren't going to be here and see the panel. When you look at serverless security, say that three times fast, what are some of the real special challenges that people need to be thinking about? Sure, so I actually have two talks tomorrow. So one is a panel on Node.js security as a whole and that's sort of a broader panel. We have a few other colleagues in there and we talk about the evolution of Node.js security. That includes the platform itself which is increasingly well handled by the foundation. Definitely some improvements there over the years and some of it is around best practices like the ones that we've just discussed which is understanding known pitfalls and Node.js sort of security mistakes that you might do as well as handling the NPM ecosystem. The other talk that I have later in the day is around serverless security. Serverless security is interesting because a lot of the promise of serverless is function as a service is that a lot of the concerns a lot of the earlier or lower levels get abstracted away from you. You don't need to manage servers. You don't need to manage operating systems and with those a lot of security concerns go away which in turn focuses the attackers and should focus you on the application. You know, as you know, attackers are not just going to give up because they can hack the operating system that the pros are managing. So they would look at the next low hanging fruit and that would be the application. So platform as a service and function as a service really increase the importance of dealing with application security as a whole well. So my talk is a lot about that but also deals with other sort of security concerns that you might, you know, of course any new methodology introduces its own concerns. So talk a little bit about how to address those. Serverless like Node.js is an opportunity to build security into the culture and into our methodologies from the early days. So trying to help us get up right. All right, so as you look forward in next 12 months, I won't say more than 12 months, six months, nine months, 12 months, what are some of your priorities at Sneak? What are you working on? If we, you know, get together a year from now, you know, what will we be talking about? I think so two primary ones. One is continuing the emphasis on fix, making fixing trivial in the Node.js environments as well as others. I think we've done well there but there's more work to be done that needs to be as seamless as possible. The other aspect is indeed in this sort of Paz and Faz world and sort of platform and function as a service, where increasingly there's this awareness as we work with different platforms to the blind spot that they have to open source libraries. You know, they fix your Nginx vulnerabilities but not your Express vulnerabilities. You know, I sometimes refer to NPM packages or open source packages as sprinkles of infrastructure that are just scattered through your application. And today, all of these cloud platforms are blind to it so I expect us at Sneak to be helping Paz and Faz users deal with that security concerns efficiently. All right, well I look forward to the conversation. Thanks for stopping by. Thank you. This guy Pojarni, he is from Sneak, the CEO of Sneak. I'm Jeff Brick, you're watching theCUBE.